FOSSA Logo
A
DevOps
CI/CD
General Concepts

Artifact

A file or package produced by the build process, such as an executable, container image, library, or other deployable component.

What is an Artifact?

In software development, an artifact is a file or package that is produced during the build process and is intended for deployment, distribution, or further processing. Artifacts are the tangible outputs of the software development lifecycle and represent the culmination of coding, building, and testing efforts.

Artifacts can take many forms depending on the programming language, framework, or deployment target, including executables, libraries, container images, packages, archives, documentation, or even infrastructure templates.

Common Types of Artifacts

  1. Executable Binaries - Compiled programs that can be directly executed (e.g., .exe files for Windows, ELF files for Linux)

  2. Libraries - Reusable code packaged for consumption by other software (e.g., .dll, .so, .jar files)

  3. Packages - Language-specific bundled code intended for distribution (e.g., npm packages, Python wheels, Ruby gems)

  4. Container Images - Self-contained environments that package code with its dependencies (e.g., Docker images, OCI images)

  5. Archives - Compressed files containing multiple artifacts or resources (e.g., .zip, .tar.gz)

  6. Web Assets - Optimized files for web applications (e.g., minified JavaScript, bundled CSS)

  7. Documentation - Generated API references, user guides, etc.

  8. Infrastructure as Code Templates - Deployable infrastructure definitions (e.g., Terraform plans, CloudFormation templates)

Artifact Management

Proper artifact management is crucial for a robust software supply chain:

Storage and Distribution

Artifacts are typically stored in specialized repositories called artifact registries, such as:

  • Docker Hub or Harbor for container images
  • Maven Central or JFrog Artifactory for Java artifacts
  • npm Registry for JavaScript packages
  • PyPI for Python packages
  • NuGet Gallery for .NET packages

Versioning

Artifacts are usually versioned to track changes and ensure compatibility. Common versioning schemes include:

  • Semantic Versioning (SemVer) - e.g., 1.2.3
  • Calendar Versioning (CalVer) - e.g., 2023.06.1
  • Build numbers - e.g., 1.0.build.123

Metadata

Artifacts should include metadata such as:

  • Version information
  • Build timestamp
  • Commit hash or source reference
  • Author or builder identity
  • Dependencies
  • License information

Artifact Security

Security considerations for artifacts include:

  1. Integrity - Ensuring artifacts haven't been tampered with after creation

  2. Authenticity - Verifying artifacts come from trusted sources

  3. Provenance - Tracking the complete origin and build process of artifacts

  4. Vulnerability Scanning - Checking artifacts for known security vulnerabilities

  5. Signing - Cryptographically signing artifacts to verify their authenticity

Best Practices for Artifact Management

  • Use immutable artifacts that are never modified after creation
  • Store artifacts in secure, access-controlled registries
  • Implement retention policies for artifacts to manage storage
  • Sign artifacts to verify authenticity
  • Include Software Bill of Materials (SBOM) with artifacts
  • Scan artifacts for vulnerabilities before deployment
  • Implement reproducible builds to ensure consistent artifacts
  • Use descriptive naming and versioning conventions
  • Document dependencies and compatibility requirements

Related Terms

Build System

Software that automates the process of converting source code into executable applications, handling compilation, linking, packaging, and other build tasks.

Provenance

Metadata that describes the origin, creation process, and supply chain journey of a software artifact, enabling verification of its authenticity and integrity.